Jump to content

Archived

This topic is now archived and is closed to further replies.

Jessica

Safe Handling of User Submitted Variables

Recommended Posts

Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?

Here are two of them:

[code]function safe_POST($item){
    $item = mysql_real_escape_string(strip_tags($_POST[$item]));
    return $item;
}

function safe_int_GET($item){
    $item = intval($_GET[$item]);
    return $item;
}[/code]

Share this post


Link to post
Share on other sites
[!--quoteo(post=352953:date=Mar 8 2006, 03:00 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 03:00 PM) [snapback]352953[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?

Here are two of them:

[code]function safe_POST($item){
    $item = mysql_real_escape_string(strip_tags($_POST[$item]));
    return $item;
}

function safe_int_GET($item){
    $item = intval($_GET[$item]);
    return $item;
}[/code]
[/quote]

Well, that's one way to do it.. You can also use preg_match() to ensure that the data is exactly what you're looking for. Then wrap it from there if you need to insert it into a database.

Share this post


Link to post
Share on other sites
[!--quoteo(post=353011:date=Mar 8 2006, 03:36 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:36 PM) [snapback]353011[/snapback][/div][div class=\'quotemain\'][!--quotec--]
just to add.

If you're expecting numbers as well as using intval you could use is_numeric()
[/quote]

Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)

Share this post


Link to post
Share on other sites
The only real advantage it has over intval is that if you are definitely expecting a number you can use something like

if(!is_numeric($_GET["id"]) //print some kind of error.

Which can quite often be useful as it is therefore obvious that characters have been submitted. This would not be apparent using intval()

Share this post


Link to post
Share on other sites
[!--quoteo(post=353016:date=Mar 8 2006, 04:40 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 04:40 PM) [snapback]353016[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)
[/quote]

Well, if you're expecting a number, and someone submits a character, is_numeric will make that apparent...

I generally do checks like this :

[code]
if (preg_match('/^\w+$/', $_REQUEST['variable'])) {
   $myvar = $_REQUEST['variable'];
} else {
   // Either warn the user or fall back to a "default"
}
[/code]

That would be for a text value containing any alphanumeric character including _ ... You can obviously change the regex to something else as needed.

Share this post


Link to post
Share on other sites
[!--quoteo(post=353022:date=Mar 8 2006, 03:44 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:44 PM) [snapback]353022[/snapback][/div][div class=\'quotemain\'][!--quotec--]
The only real advantage it has over intval is that if you are definitely expecting a number you can use something like

if(!is_numeric($_GET["id"]) //print some kind of error.

Which can quite often be useful.
[/quote]

Okay great, thanks :) I will remember that one.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.